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Earlier this year, the DFIR Report published two separate articles outlining ransomware
attacks by Conti and REvil, both of which leveraged the IcedID trojan in their intrusions.
Using the PCAP (Packet Capture) from these reports, IronNet replayed the intrusions in our
proprietary testing environment to test how IronDefense and our behavioral analytics detect
malicious activity by these groups.

REvil
To start, we'll dive in to REvil ransomware, how it traversed the network in this intrusion, and
how our analytics detected this activity.
First observed in April 2019, REvil (aka Sodinokibi) is an infamous Russia-based cybercrime
syndicate responsible for several notable attack campaigns, including the ransomware
attacks against Kaseya and JBS Foods. Operating under a ransomware-as-a-service (RaaS)
model, REvil was ranked first among the most common ransomware variants in the first half
of 2021 with 14.2% of the total market share. In October 2021, REvil reportedly shut down its
operations following the arrest of several of its members and the hijacking of its infrastructure
by law enforcement.
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Figure 1: REvil malicious traffic and IronNet behavioral analytics
The threat actors begin with a malspam campaign to deliver a malicious XLSM file. Upon
opening the macro, it initiates a WMIC (Windows Management Interface Command)
command that executes IcedID from a remote executable posing as a GIF. The initial
compromised host (172.31.5.31) downloads the malicious file hosting IcedID, which is
flagged by our knowledge-based rules.
IronNet’s knowledge-based detection uses Suricata rules to analyze netflow and detect
common malicious behavior. Knowledge-based detection is an integral part of defense-indepth and allows us to flag known indicators. However, it’s important to note that signaturebased detection should not be used alone when defending against ransomware, because
cybercriminals take incredible care to avoid reusing IOCs (e.g. domains, IPs, file hashes,
etc.) in an effort to evade signature detection.
As IcedID is downloaded to the host and executed using rundll32.exe, our Consistent
Beaconing TLS analytic fires on the nomovee[.]website domain. Our Domain Analysis
analytic is also alerted on the nomovee[.]website domain.
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The Consistent Beaconing analytic analyzes beacon activity to detect ongoing patterns of
both periodic and randomized beaconing, identifying when there is activity consistent with
repetitive attempts by malware to establish communications with a C2 server.

Figure 2: Consistent Beaconing TLS analytic firing on nomovee[.]website
It is from here that IcedID pulls down Cobalt Strike Beacons from two different commandand-control (C2) servers: cloudmetric[.]online (45.86.163.78) and smalleststores[.]com
(195.189.99.74). On both of these, our TLS Invalid Certificate Chain analytic fires detecting
suspicious TLS certificate usage.
A wide variety of malware may exhibit invalid TLS certificate chain behavior as part of C2 or
even data exfiltration activities. IronNet’s TLS Invalid Certificate Chain analytic assesses the
TLS certificate to identify self-signed or falsified TLS certificates, validating all available
server certificate chains in a flow and generating events for chains that fail the validation
process – such as it did in this case.

4/18

Figure 3: TLS Invalid Cert Chain analytic firing on smalleststores[.]com
Additionally, we have a Domain Analysis alert to support the finding for cloudmetric[.]online.
IronNet’s Domain Analysis analytic evaluates outgoing communications from an internal host
to a new or unusual domain, which could be the result of malware calling back to a domain
for instructions. Given the nature of modern networks and their reliance on domains for
communication, our Domain Analysis analytics provides value through the entire attack
chain.

Figure 4: Domain Analysis HTTP analytic firing on cloudmetric[.]online
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After establishing C2, the host begins to beacon consistently to the malicious domains. C2
communications are an integral part of a ransomware attack, especially given recent trends
where ransomware operators look to fully enumerate networks, ultimately trying to achieve
full domain compromise. Our beaconing analytics were designed to catch these types
communications, which they did for cloudmetric[.]online and smalleststores[.]com.

Figure 5: Consistent Beaconing TLS analytic firing on cloudmetric[.]online

Figure 6: Consistent Beaconing TLS analytic firing on smalleststores[.]com
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Using Cobalt Strike, lateral movement begins first to an Exchange server. After
compromising the Exchange server, the threat actors move to domain controllers (DCs) and
other servers within the environment using Server Message Block (SMB) and Cobalt Strike
Beacons that are executed via a remote service. From the DCs, the attackers carry out
additional discovery by using ADFind and the Ping utility to examine connections between
the DCs and other domain-joined systems.
It was here that our knowledge-based rules detected the primary DC (10.1.10.5) and the
internal Windows host (10.1.10.200) communicating with the Cobalt Strike C2
(45.86.163.78).

Figure 7: Knowledge-based detection of C2 communications between 10.1.10.200 &
45.86.163.78
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Figure 8: Event summary of knowledge-based detection of C2 communications between
10.1.10.5 & 45.86.163.78
Following this, the attackers used a Cobalt Strike beacon to dump credentials on the server
and DC. The threat actors began to establish RDP (remote desktop protocol) connections
between various systems. From here, the attackers used Rclone to exfiltrate files they will
leverage in a double-extortion demand. As this occurs, our Extreme Rates analytic fired on
45.86.163.78 and cloudmetric[.]online.
IronNet’s Extreme Rates analytic monitors traffic characteristics – such as the number of
bytes, packets, and flows in network peer groups – to detect when a larger-than-normal
amount of data is being extracted from the network. This presents an opportunity for
detection before encryption can kick off. Some damage may still occur if an attacker is able
to reach this point, but detecting and eradicating a threat at this stage is still immeasurably
better than after encryption occurs.
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Figure 9: Extreme Rates TLS analytic firing on cloudmetric[.]online
The attackers then start to move onto final objectives, staging the executable on a DC and
then using BITSAdmin to distribute it to each system in the domain. The ransomware is
executed over an RDP connection, leading all domain-joined systems to be encrypted.

9/18

Conti
Let's now dive in to Conti, how it traversed the network in this intrusion, and how our
analytics detect this activity.
Conti is a prolific ransomware family that first emerged in May of 2020. The group garnered
particular attention in 2021 for several cyberattacks on healthcare institutions, including the
Ireland Health Service Executive (HSE). Overall, Conti has been connected by the FBI to
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more than 400 cyberattacks worldwide – 75% of which targeted organizations in the U.S.

Figure 10: Conti malicious traffic and IronNet behavioral analytics
The attackers begin with a phishing campaign delivering a Zip file that contains a malicious
Javascript file. Our Phishing HTTPS analytic catches this interaction with the phishing link
and fires on expertulthima[.]club.
IronNet’s Phishing HTTPS analytic analyzes all SSL/TLS encrypted communications from
internal devices to external domains, the SNI (Server Name Indication), and the certificate of
the destination to identify communications with phishing domains employing targeted brand
imitation via HTTPS. Our analytics are not isolated to just email-based phishing, but also
identify any time a user appears to be interacting with a phishing link or submitting sensitive
information to a suspicious external entity.
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Figure 11: Phishing HTTPs analytic firing on expertulthima[.]club
The file eventually downloads and executes the IcedID trojan via rundll32.exe. In the initial
IcedID execution, our Domain Analysis analytic fires on vaclicinni[.]xyz, dictorecovery[.]cyou,
oxythuler[.]cyou, Thulleultinn[.]club, and Expertulthima[.]club.
IronNet’s Domain Analysis analytic monitors outgoing communications, and it provides
unique value as it does not rely on the existence of any additional behaviors, just the usage
of a suspicious domain.

Figure 12: Domain Analysis HTTP analytic firing on vaclicinni[.]xyz
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In addition to Domain Analysis, our Consistent Beaconing analytic fired for oxythuler[.]cyou,
Thulleultinn[.]club, and Expertulthima[.]club, and our TLS Invalid Certificate Chain analytic
fired for oxythuler[.]cyou and thulleultinn[.]club.

Figure 13: Consistent Beaconing TLS analytic firing on oxythuler[.]cyou

Figure 14: Consistent Beaconing TLS analytic firing on thulleultinn[.]club
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Figure 15: Consistent Beaconing TLS analytic firing on expertulthima[.]club
The TLS Invalid GCertificate Chain analytic validates all available server certificate chains in
a flow and generates events for chains that fail the validation process. The events include
the reason why validation failed, the root certificate issuer, and the number of internal
devices that are communicating with the device issuing the root certificate.

Figure 16: TLS Invalid Cert Chain analytic firing on oxythuler[.]cyou
Once the attackers successfully infect the system with IcedID, they drop and execute a
Cobalt Strike beacon. At this point, our knowledge-based rules fire to detect Cobalt Strike C2
(192.99.178.145).
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Figure 17: Knowledge-based detection of Cobalt Strike C2 (192.99.178.145)

Figure 18: Knowledge-based detection of Cobalt Strike C2 (192.99.178.145)
The attackers then perform domain enumeration using native Windows tools such as
nltest.exe, whoami.exe, and net.exe. They escalate to SYSTEM privileges via Cobalt Strike’s
built-in “named pipe impersonation” functionality.
Moving laterally to the DCs, the threat actors utilize SMB to transfer and execute a Cobalt
Strike Beacon. During this, one of the DCs conducts port scanning activity to identify open
ports. Afterward, the threat actors transfer a Cobalt Strike DLL (Dynamic Link Library) to
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Admin shares and distribute it throughout the environment using PsExec. Our Consistent
Beaconing and Domain Analysis analytics fire for the Cobalt Strike C2 domain
dimentos[.]com.

Figure 19: Consistent Beaconing HTTP analytic firing on dimentos[.]com
Later on, the attackers establish RDP connections to the DC and other systems throughout
the environment. To do this, they use a redirector (38.135.122.194) to proxy the RDP traffic
passing through the IcedID process. This activity was caught by our Extreme Rates analytic.

Figure 20: Extreme Rates analytic firing on 38.135.122.194

16/18

For defense evasion, the threat actors modified the Group Policy to disable Windows
Defender and force updated it to all clients using Cobalt Strike. Around two and a half hours
after initial intrusion, the Cobalt Strike Beacon processes inject the Conti DLL into memory,
and all active systems are encrypted.
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So what?
In this article, we explained how IronNet advanced analytics detect ransomware attacks by
two of the most prolific ransomware groups: REvil and Conti. Despite the evasive strategies
employed by both of these two threat groups, it is clearly apparent that through behavioral
analytics, their behaviors are detectable across all stages of the kill chain and before a
ransomware payload is ever executed.
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